The Cyberthreat to Government That's Lurking in the Shadows

Many public employees use unsanctioned software on work computers. It poses serious security risks.

Michael Roling, Missouri’s chief information security officer (CISO), knew that some of the state’s 40,000 employees were using unapproved software they had downloaded from the cloud to their work computers and devices. But when his team ran a special software tool to figure out how extensive the practice was, they were surprised to learn that more than 2,500 unknown software programs or services were operating throughout the state’s IT network. “It was definitely an eye-opener,” Roling says. “We guessed we had some problems, but it turned out the number was far greater than what we could imagine.”

Roling isn’t the only IT official to miscalculate the size and scope of the problem. CISOs routinely underestimate the number of unsanctioned software programs that workers are using. A report from SkyHigh Networks, a software security firm, found that the typical public-sector organization uses nearly 750 cloud services -- 10 times the number IT departments expect to find.

The main reason for the explosive growth is the ease with which anyone can use these free services. Roling refers to it as the “consumerization of technology.” Years ago, you had to physically install the software on your computer using disks, and then read a manual to figure out how the software worked. “Today, you don’t need any in-depth understanding of software or computers to use these tools,” he says. “The complexity of installation has been taken out of the equation.”

Google apps, Dropbox and social media such as Facebook and Twitter, for instance, are popular mainstream cloud services that many people use. But what concerns CISOs are the less-known, less familiar services that workers might download, so-called shadow IT. Roling discovered some state workers were using a service called VK.com, which is the Russian version of Facebook. “The privacy and security of a platform like that, built in Russia, does not adhere to U.S. privacy and security laws,” he says. “That puts it into a very high-risk category.”

Security is the biggest problem with shadow IT. Whether the software is American or foreign, it often doesn’t meet the strict security standards set by government cybersecurity protocols. Popular file-sharing apps, for example, allow users to easily upload, store and download files, but they may contain viruses or malware that can spread and infect a state government network.

Despite the risks of shadow IT, most experts agree it’s unlikely to go away. Perhaps more concerning is that it’s difficult to police -- governments can’t anticipate every program a user might find useful and download. They already block the high-risk services they find. For those that are low risk, they go ahead and approve the use of software that doesn’t duplicate a service or tool the state already has on its network. Still, Roling has launched a program to educate state workers about the risk of using shadow IT.

In the end, though, the best way to understand shadow IT may be to view it not as a people or technology problem, but as a data security problem. “In government,” says Roling, “we need to do the best job we can to ensure data remains safe.”